Cluby Privacy Notice

1. GENERAL INFORMATION

Cluby Oy, business ID: 2932166-8 (hereinafter “Cluby”, “we” or “us”) acts as a controller in relation to the processing of personal data in connection with the use of our service Cluby which is available through a mobile application called Cluby for mobile devices and through our website www.cluby.com (hereinafter the application and the website together as the “Service”). The Service is a loyalty application for venues such as restaurants, cafes, shops, bars, and nightclubs. This privacy policy applies to the users of the Service.

This privacy policy describes how Cluby processes personal data; e.g., what kinds of personal data we collect, for which purposes the personal data is used and to which parties the personal data can be disclosed. We are committed to being transparent about how we collect and use personal data and how we meet our data protection obligations.

Personal data refers to any information relating to a natural person (“data subject”) that can identify the person directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). Cluby complies with the GDPR in all processing of personal data in conjunction with other applicable data protection legislation (“data protection legislation”).

The Service may contain links to external websites and services operated by other companies that we do not manage. This privacy policy is not applicable to their use, so we encourage you to review the privacy policies that apply to them. We are not responsible for the privacy policies of other websites or external services.

2. CHILDREN

The Service is not intended for children under 13 years of age. If you are under 13, please do not use the Service. If we learn that we have collected or received personal data from a child under 13, we will delete that personal data. If you believe we might have any information from or about a child under 13, please contact us via email at info@cluby.com.

3. CONTROLLER AND CONTACT INFORMATION

Controller: Cluby Oy

Business ID: 2932166-8

Address: Mikonkatu 25, 00100 Helsinki, Finland

Email: info@cluby.com

Controller representative: Joel Leino, Co-Founder, Cluby Oy

4. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA

Personal data will be processed for the following purposes based on the defined legal bases:

  • Provision of the Service (contract or its preparation, legitimate interest)
  • Customer communications and provision of information and required notices regarding the Service (legitimate interest)
  • Direct electronic marketing, such as sending newsletters, push-messages and promotions via emails and SMS (consent)
  • Providing marketing in the Service using cookies (consent)
  • Enabling social media services such as videos and sharing buttons (consent)
  • Developing and improving the Service and our business through analytics (consent)
  • Ensuring security of the Service and our business, and preventing abuses (statutory obligation or legitimate interest)
  • Complying and fulfilling our legal duties and obligations such as tax law and accounting related obligations (statutory obligation)
  • Establishing, exercising, or defending against legal claims (statutory obligation or legitimate interest)

For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects’ right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.

Where the processing is such that a consent is required by the applicable legislation, we will state so and obtain the consent, and this will be the legal basis for the processing. However, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If such withdrawal means that we are no longer able to provide the Service, we may cease to provide the Service.

5. WHAT DATA IS COLLECTED, STORED AND PROCESSED?

Cluby collects only such personal data from the data subject that is relevant and necessary for the purposes described in this privacy policy. The Service obtains the information you provide when you register to the Service. Registration with us is mandatory in order to be able to use the basic features of the Service. If you connect or login to your account with Facebook, Facebook shares with us personal information about you such as your profile picture, a sample of your Facebook friends and your Facebook ID.

5.1 User Data that is necessary in order to use the Cluby Services

The following personal data collected and processed by us is necessary in order for a proper performance of the contract between you and us as well as for our legitimate interest whilst fulfilling our contractual obligations towards our Merchants and for the compliance with our legal obligations.

When you register to the Cluby Services and create a user account, you need to provide us with the following information: full name; telephone number; email address; and information relating to your payment instrument(s) such as the number of your payment instrument(s) and the expiration date of your payment instrument(s) (required for the purposes of purchasing products via the Service, however not stored by Cluby, since Cluby uses a third party payment service provider for processing of payments).

5.2 User Data you give us voluntarily and while using Cluby Services

Your user or customer experience may be enhanced by providing us with the following information:

Additional Account Information includes a picture; location data (if you consent to the processing of your location data), age, gender, and other information you provide either when creating a user account or later when modifying your account profile.

5.3 Other Information.

We may also process other information provided by you voluntarily such as:

  • information related to your purchases through Cluby Services (for example, tickets or products purchased, date and time of purchases, total amount of purchases and other purchase history)
  • restaurants you join as a member and other marketing opt-ins and opt-outs preferences
  • information you provide by phone or in email or chat correspondence with us
  • the type of mobile device you use
  • your mobile devices unique device ID
  • the IP address of your mobile device
  • your mobile operating system
  • the type of mobile Internet browsers you use
  • information about the way you use the Service

Once you join as a member to a restaurant, you opt-in and allow the restaurant owners to contact you with relevant marketing messages on different methods, such as emails, SMSs and push notifications, if you have given consent for marketing. Once you join a restaurant or buy products or tickets, the restaurant owners can see your name, age, date of birth, and other relevant information in order to give you perks, e.g. personal benefits, membership cards, discounts, event tickets or other similar services.

When you use the Service, we may use GPS technology (or other similar technology) to determine your current location in order to provide you the services and to determine if you have entered one of the supported venues. Additionally, with your consent, we may share your current location with other users or the venue you are in. In order for us to process your location data, we will ask your consent to this kind of processing. Such consent can also be withdrawn. If you do not want us to use your location data for the purposes set forth above anymore, you can turn off the location services for the Service in your mobile phone settings.

Please note that some or all of the personal data mentioned in this privacy policy may be required in order for the Service to function properly.

Cluby uses different third party analytics and telemetry providers, marketing or affiliate partners, and other services integrated into our client software listed below:

In addition, the Service may collect certain information automatically, including, but not limited to:

  • Bugsnag / SmartBear Software Inc. / Error event and perfomance tracking / Link
  • Google Tag Manager / Google / Analytics and reporting / Link
  • Mixpanel / Mixpanel Inc / Analytics and reporting / Link
  • Leadfeeder / Dealfront Group GmbH / Analytics and reporting / Link

6. DATA SOURCES

The personal data is mainly collected directly from the data subjects themselves, for example, when downloading, signing in and using the Service. Personal data may also be collected automatically when the data subject downloads the Cluby application, visits the Cluby website and uses the Service in general. In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context. Personal data may be updated and supplemented by collecting data from private and public sources.

7. RETENTION OF PERSONAL DATA

Cluby does not store your personal data longer than is legally permitted and necessary for the purposes of providing the Cluby Services or the relevant parts thereof. The storage period depends on the nature of the information and on the purposes of processing. The maximum period may therefore vary per use.

After a User has deleted their user account personal data may be stored only as long as such processing is required by law or is reasonably necessary for our legal obligations or legitimate interests such as claims handling, bookkeeping, internal reporting and reconciliation purposes.

We assess regularly the storage period for personal data to ensure the data is stored only for the necessary time period.

8. DISCLOSURES, TRANSFERS AND RECIPIENTS OF PERSONAL DATA

For the purposes stated in this privacy policy, the personal data may be disclosed, when necessary, to authorities and to selected third parties, such as third-party service providers. In such case, the personal data will be disclosed for purposes defined above and any disclosure is always limited to only the strictly necessary personal data included in such purposes.

We may in certain cases disclose personal data to our partners for such third parties’ own purposes based on their legitimate interests.

In addition, we may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.

The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety and usability of the products and services. In the event of emergencies or other unexpected circumstances, Cluby may be required to disclose the personal data of registered persons in order to protect human life, health and property.

9. DATA TRANSFERS OUTSIDE THE EU/EEA

Some of the services used by us for processing personal data may operate outside the territory of the EU or the EEA. Thus, personal data can be transferred outside the European Union and the European Economic Area.

In case personal data is transferred outside the EU/EEA, such transfers are either made to a country that is deemed to provide an adequate level of data protection by the European Commission or transfers are carried out by using appropriate safeguards such as Standard Contractual Clauses (SCC) adopted, including any supplementary measures, where assessed to be necessary, or as otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.

10. PROTECTION OF PERSONAL DATA

Securing the integrity and confidentiality of personal data is important to us. We have taken appropriate technical and organizational measures in accordance with industry standards in order to keep personal data safe and to secure it against unauthorized access, loss, misuse or alteration by third parties, such as by firewalls, physical security measures, access controls, assignment of access rights, encryption and active monitoring of the aforementioned measures.

All parties processing personal data have a duty of confidentiality in matters related to the processing of personal data. Access to personal data is restricted to those employees and parties who need it to perform their duties. We also require our service providers to have appropriate methods in place to protect personal data.

11. USE OF COOKIES AND SIMILAR TECHNOLOGIES

We use various technologies to collect and store Usage Data and other information when the Users visit the Cluby Services, including cookies, storing website data, and using web and application telemetry.

Cookies and other website data saved on your device allow us to identify visitors of the Cluby Services and facilitate the use of the Cluby Services and to create aggregate information of our visitors. This helps us to improve the Cluby Services and better serve our Users. The cookies and other website data will not harm your device or files. We use cookies and other website data to tailor the Cluby Services and the information we provide in accordance with the individual interests of our Users.

The Users may choose to set their web browser to refuse cookies. You can manage your cookie preferences through the cookie banner on our websites. Please note that some parts of the Cluby Services may not function properly if use of cookies is refused.

12. AUTOMATED DECISION-MAKING AND PROFILING

We do not use any automated decision-making or any profiling pursuant to the Article 22 GDPR.

13. RIGHTS OF THE DATA SUBJECTS

The data subject has several rights under applicable data protection laws.

Right of access and right of inspection

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed.

The data subject has the right to inspect and view data concerning them and, upon a request, the right to obtain the data in a written or electronic form. This applies to information that the data subject has provided to us insofar the processing is based on a contract/consent.

Right to rectification and right to erasure

The data subject has the right to demand the rectification of incorrect personal data concerning them and to have incomplete personal data completed.

The data subject has the right to require us to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing.

However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy policy and may also be required to be retained by applicable laws.

Right to data portability

The data subject has the right to receive the personal data that he or she has provided to us in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller. The right to data portability applies on the processing of the personal data based on consent or a contract.

Right to restriction of processing

The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his or her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, we will limit the access to such data.

Right to object to processing

The data subject has the right to object to the processing of his or her personal data where we are relying on legitimate interests as the legal ground for processing. For example, the data subject may object to his or her personal data being used for marketing purposes.

Right to withdraw consent

In cases where the processing is based on the data subjects’ consent, the data subject has the right to withdraw his or her consent to such processing at any time.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to the data subject infringes current legislation.

However, we request that the matter will be dealt with us in the first instance.

The relevant authority in Finland is the Data Protection Ombudsman (http://www.tietosuoja.fi).

14. EXERCISING RIGHTS

Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller, Cluby, using the contact details mentioned on this privacy policy.

Identity can be checked before the information is given out, which is why we may have to ask for additional details. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity.

If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. We may refuse the request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services. Please note that we may charge a reasonable fee where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.

The data subject may exercise the aforementioned rights by sending a written request by email or mail using the contact information provided in this privacy policy.

If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us via email at info@cluby.com. We recommend using the Cluby mobile app (found in Settings -> Account -> Deactivate Account) to request the deletion of your account and personal data. This method allows us to identify you more easily.

15. CHANGES TO THIS PRIVACY POLICY

We can make changes to this privacy policy at any time by giving a notice on our website or in the Cluby application and/or by other applicable means. The data subjects are highly recommended to review the privacy policy every now and then.

If the data subject objects to any of the changes to this privacy policy, the data subject should cease using the services and the Service, where applicable, and he/she can request that we remove the personal data, unless applicable laws require us to retain such personal data.

This privacy policy was last updated on 14th of February 2024.